Ethics

We live in a data driven world with data presenting us diverse commercial and domestic opportunities. These opportunities often rely on various forms of personal data, and this raises moral questions about what data is collected and how it is used – and this is arguably just the beginning.

Organisations today place more value than ever on personal data, our personal data, especially as many depend on the high-volume collection and monetisation of personal records. Companies collect and profit from the use of data on the understanding that it is not exploited or put at risk. In recent years Europe and Jersey have significantly improved data privacy legislation, a key part of our law is that it details specific grounds for a company’s granted use of our personal data, including public interest, legal obligation and consent. The new laws, driven by GDPR were introduced to answer society’s increasing data privacy concerns, so these grounds can therefore be considered the sole ‘ethical uses of data’.

The benefits of effective data protection being:

• It helps redress imbalance between the individual and the state, but also between the individual and companies that collect, process and communicate their data to third parties.
• It preserves democracy, but also protects the individual in the face of massive technological change and generate trust in the digital economy.

In order to process non- sensitive personal information, organisations must have a lawful reason;

• consent
• to carry out a contract
• to protect the vital interests of a person
• for the performance of a public function and in order for an organisation to meet a legal obligation
• the legitimate interests of a company/organisation

Any one of the reasons given above can provide a legal basis for processing personal data. Provided a business can prove that its use of the data is sensible and does not violate the data subject’s natural rights to privacy, then it is permissible. This means that ‘legitimate interest’ relies on a perception of ethical conduct.

But the ethical framework against which this judgement will be made is changing, thus data ethics is both critical and fragile.

Transparency is everything; if companies are as open and transparent as they can be, stating at the earliest possible opportunity how and why they are using personal data, they validate their activities and earn the trust of their customers. Such ‘transparency’ from organisations requires absolute confidence in their legal and ethical standing, as well as in their processes and technologies.

Extract from the Law

15 Data protection by design and by default

• A controller must, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures that are designed to

1. 1.  implement the data protection principles in an effective manner; and
       integrate the necessary safeguards into the processing to meet the requirements of this Law and protect the rights of data subjects.
   2. In determining whether or not a measure is appropriate for the purposes of this Article, regard must be had to the state of technological development, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.

(3) The technical and organizational measures must ensure as far as practicable that, by default

1. only personal data that are necessary for each specific purpose of the processing are processed; and
2. personal data are not made accessible to an indefinite number of natural persons without the data subject’s consent or other lawful authority.

• Paragraph (3) applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.
• Adherence to a code or evidence of certification may provide evidence that an individual controller has or has not contravened paragraph (1)